Setting up WiFi with a FortiAP

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

 

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

 

1. Connecting and authorizing the FortiAP unit

Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).

Set Addressing Mode to Manual and set an IP/Network Mask.

Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection.

Under Networked Devices, enable both Device Detection and Active Scanning.

 

Connect the FortiAP unit to the interface.

 

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the  in the State column.

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.

 

Right-click on the FortiAP, and select Authorize.

 

The device interface will be down initially, but after a few minutes, hit the Refresh button and a  will confirm that the device is authorized.

Make sure that your FortiAP is on the latest firmware. If the OS Version shows the message “A new firmware version is available,” then check the release notes for your product on the Fortinet Support Site.

 

You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.

 

2. Creating an SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Tunnel.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Enable Device Detection and Active Scanning.

Name the SSID (in the example, MyNewWiFi).

Set the Security Mode as required and enter a secure Pre-shared Key.

Enable Broadcast SSID.

 

3. Creating a custom FortiAP profile

Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP221C in this recipe).

Set the Country/Region and you have the option to set your AP Login Password.

Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.

 

 

Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP you added earlier. Select Assign Profile and set the FortiAP to use the new SSID profile (in the example, MyProfile).

By default, the FortiGate assigns all SSIDs to this profile.

 

4. Allowing wireless access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.

 

5. Results

Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.

 
From the policy list pageright-click on your wireless policy and select Show in FortiView or go directly to FortiView > All Sessions.  
You can view more details by selecting various tabs (Sources, Destinations, Applications, Countries, Sessions).

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Note that some FortiGate models may not have the Active Scanning option, and it is not required for the recipe.
It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.
Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.
The SSID defaults to automatically assign Tunnel-mode SSIDs.
Located under Policy & Objects > IPv4 Policy.
  • Alex

    It would so good if you could append CLI configuration after every GUI-heavy “recipe”. Those multiple pages of screenshots and descriptions are more succinctly shown as CLI commands.

    • Judith Haney

      Hello Alex,
      Your suggestion is one that has been considered by the Fortinet Docs team in the past. We certainly see the value of including the CLI configuration in addition to the GUI steps in the Cookbook’s recipes. Unfortunately, due to time and resources, we don’t have this as a step in the recipe making process at present.
      best regards,
      Judith